Support fingerprint reader login

[poetimp]

This is a promotion of the original bug opened almost 10 years ago for KDM: Bug 116682 (https://bugs.kde.org/show_bug.cgi?id=116682)

As many laptops now have this ability as well as a number of personal devices such as phones and tablets, it is becoming a common option for authentication, regardless of our opinion of it. Adding this feature would bring the login process current with technology that is now well established in a consumer market.

[rriemann]

👍

[jleclanche]

+1

[sudhirkhanger]

+1

[int-ua]

Note: KDM works with fprintd on Kubuntu 14.04. Haven't tried SDDM though.
Thinkpad E440 / VFS5011 / fprint_vfs5011

[anarsoul]

Out of curiosity, does SDDM have ability to start several PAM sessions just like GDM does? It's necessary to be able to login with password OR fingerprint.

[ssokolow]

@anarsoul Is that only necessary as a quirk of doing it graphically? In the past, I've set up "one or the other" for the console by relying on PAM's sufficient directive.

[anarsoul]

@ssokolow how're you going to skip password authentication or fingerprint authentication in case of single PAM session?

[ssokolow]

@anarsoul The key phrase was "necessary to be able to".

It's messy, but sufficient in the console login flow allows you to set up things like "just hit Enter at the password prompt to use fingerprint login". I was wondering whether the GUI prevented that or whether you were just being inexact with your phrasing.

[anarsoul]

@ssokolow, just install GDM and try. You can either type in password or swipe a finger. It's not necessary to hit enter in password input box.

GDM runs 2 PAM sessions in parallel, one for password and another for scanning a fingerprint.
GDM is smart enough not to run PAM session for fingerprinting if scanner is missing.

[ssokolow]

@anarsoul: Yes, I gathered that... but that's not what I asked.

What I asked was whether you were saying that something about the GUI makes the "Use a single PAM session where, if one fails, it tries the other" hack impossible.

(You said "necessary to be able to..." and I'm wondering if you meant "necessary to be able to properly...")

[anarsoul]

I meant it's necessary for proper user experience.

[ssokolow]

Thanks for the clarification.

[MurzNN]

So at now how I can configure SDDM for work with fprintd and using finger or type password for successfull authentification?

[averageradical]

@ssokolow Can you please elaborate on how you use sufficient to get fprintd to work? The fingerprint reader is working on the lock screen (press Enter, then light turns on and fingerprint authenticates); however, on the login screen, I press Enter, and the light turns on, but authentication fails; same finger :)

# head /etc/pam.d/sddm
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        substack      password-auth
auth        sufficient    pam_fprintd.so
-auth        optional      pam_kwallet.so
auth        include       postlogin

[ssokolow]

@averageradical Unfortunately, I don't remember the exact syntax I used. I know it was something like what you've quoted, but it's been several years and I don't currently have access to the config file in question to compare minutiae.

[averageradical]

Resolved by modifying /etc/pam.d/sddm with the following top lines (the fprintd line is new) and restarting:

auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        sufficient    pam_fprintd.so
auth        substack      password-auth
-auth        optional      pam_kwallet.so
auth        include       postlogin

Press enter on the login screen, then swipe your fingerprint.

[anarsoul]

@averageradical well, it's only a workaround. Check out GDM to see how minimal fingerprint integration should look.

[marionline]

On Fedora 22 adding this line:
auth sufficient pam_fprintd.so

work!

[tomchiverton]

This leads to not being able to login in an upgrade from Ubuntu 14.04 to 15.04, because the old KDE login screen does work with fingerprint scanners, and there's a left over

auth [success=3 default=ignore] pam_fprintd.so max_tries=1 timeout=10 # debug

in /etc/pam.d/common-auth

Fortunately console logins are uneffected, and fingerprint login works fine.

[gabrielmagno]

I can confirm @marionline solution works in Arch as well. My /etc/pam.d/sddm looks like this:

auth        sufficient  pam_fprintd.so
auth        include     system-login
account     include     system-login
password    include     system-login
session     include     system-login

Then, in sddm login screen i just have to hit enter in the password box, then swipe my finger.

I was not able to make the lock screen authentication work though. Any ideas on which PAM file we should edit?

[tomchiverton]

I added it to the top of
/etc/pam.d/common-auth

and it seems to work for login (though you still have to press enter) as well as the screen saver.

[gabrielmagno]

@tomchiverton My distro is Arch, and I don't have the common-auth file in the PAM folder. Would you mind sharing the full content of it so that I could figure out which is the equivalent in my system?

[tomchiverton]

So this is common-auth on Ubuntu :

auth sufficient pam_fprintd.so
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so 
# end of pam-auth-update config

and pam.d/sddm is

#%PAM-1.0

# Block login if they are globally disabled
auth    requisite       pam_nologin.so
auth    required        pam_succeed_if.so user != root quiet_success

# auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
-auth   optional        pam_gnome_keyring.so
-auth   optional        pam_kwallet.so

@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Create a new session keyring.
session optional        pam_keyinit.so force revoke
session required        pam_limits.so
session required        pam_loginuid.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional       pam_gnome_keyring.so auto_start
-session optional       pam_kwallet.so auto_start

@include common-password

# From the pam_env man page
# Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack.

# Load environment from /etc/environment
session required        pam_env.so

# Load environment from /etc/default/locale
session required        pam_env.so envfile=/etc/default/locale

Hope it helps, PAM configuration annoys me !

[lkhphuc]

Install fprint, change the two 2 files as tomchiverton showed above, logout, press enter and swipe finger. All done even though I don't know what are you guys are doing. Thank you so much, I've messed around with this fingerprint on Plasma 5.3 for a while.

[tomchiverton]

Ideally pressing enter wouldn't be needed.

Tom
Sent from my phone.

On 29 August 2015 13:02:23 BST, "Lê Khắc Hồng Phúc" notifications@github.com wrote:

Install fprint, change the two 2 files as tomchiverton showed above,
logout, press enter and swipe finger. All done even though I don't know
what are you guys are doing. Thank you so much, I've messed around with
this fingerprint on Plasma 5.3 for a while.

---

Reply to this email directly or view it on GitHub:
#284 (comment)

[ghost]

Hello guys, I'm using Kubuntu and I would like to login with my fingerprints. I installed fingerprintd but, what more? Where do I read my fingerprints and store them? I'm a bit lost and I've been waiting a lot of years for this x)

If somebody can help me, I'd be really appreciated!

[lkhphuc]

Just as I said above, install fprint and run it with sudo the first time to configure your finger. Then make the change with 2 files as tomchiverton did in the post right before my post. Then logout, press enter swipe your finger to log in. The magic is tomchiverton's work.

[andrejpodzimek]

On Arch, a modification to /etc/pam.d/sddm shouldn't be needed, because the latter includes system-auth and the fingerprint library line goes to system-auth anyway:

auth    sufficient    pam_fingerprint-gui.so

Both sddm and the screenlocker fail to log in or unlock, respectively, on my Lenovo W510 with Arch and fingerprint-gui. Fingerprint authentication and console login works fine on the other hand, based on this howto. Sadly, sddm stays blocked forever after lighting up the touch sensor and needs to be restarted to allow password authentication again. The screenlocker doesn't unlock after a successful swipe and keeps asking for a swipe over and over. Luckily, password authentication still works in this case.

I tried to switch from pam_fingerprint-gui.so to pam_fprintd.so, but that simply doesn't work; after a successful fprintd-enroll, authentication always fails, no matter what. fingerprint-gui can at least enroll the fingerprints and authenticate successfully.

[DJViking]

👍

[waltercool]

Some update/progress/idea to achieve this?

[rparkhunovsky]

👍

[blackandcold]

Both sddm and the screenlocker fail to log in or unlock, respectively, on my Lenovo W510 with Arch and fingerprint-gui. Fingerprint authentication and console login works fine on the other hand, based on this howto. Sadly, sddm stays blocked forever after lighting up the touch sensor and needs to be restarted to allow password authentication again. The screenlocker doesn't unlock after a successful swipe and keeps asking for a swipe over and over. Luckily, password authentication still works in this case.

I can confirm that in KUbuntu 16.04
Lenovo T450s
SDDM seems to ignore the swipe (lockscreen) or crash on it (login).

[aa755]

I didn't find much on the web about using KUbuntu 16.04 with lightdm, but lightdm with lightdm-gtk-greeter worked for me. I can now log in using fingerprints. Also, using xscreensaver (and perhaps also light-locker), which also locks my screen after few minutes of inactivity, I can unlock my existing plasma session using fingerprints.
I don't intend to offend SDDM developers. I am posting this because I think it may be helpful to others who, like me, have been following this thread, hoping to use fingerprints with KUbuntu 16.04. I can post details if anyone is interested.

[blackandcold]

Ah thank you for that feedback! I'll try that.

[drtrigon]

fingerprint-gui recently stoped working with Kubuntu 14.04: http://askubuntu.com/questions/795890/kubuntu-14-04-kde-login-impossible-after-update/796146

[mauromol]

... and in Linux Mint 17.3 KDE as well! Thanks for notifying this, you made me solve a recent problem with login and unlock in KDE!!!

[x11tete11x]

Is there any news about this? :D

Same issue here it would be intresting see this feature in SDDM :)

[tmpdo]

+1 to auth via sddm in arch!

[dctXOR]

+1

[ademirtc]

+1

[Frikilinux]

+1

[Canibus]

+1

[TheRealMephisto]

I use arch and sddm, and authentication via fingerprint works fine.
All I had to do was adding "auth sufficient pam_fprintd.so"
at the top of /etc/pam.d/system-auth as well as at the top of /etc/pam.d/system-local-login.
On SDDM Login or Lock Screen, I simply press enter and scan my finger;
In the console, I authenticate with my fingerprint as well.

So to me, it seems as it already works on arch...

[tmpdo]

Ohh, removed fingerprint-gui and installed fprintd and auth via sddm works for me too!
Now time for kdewallet!

[dgaus]

Thanks! fprintd is much faster, too

[mavoga]

Does anyone know how to make this work in Debian Stretch? Thanks Il 17/04/2017 11:20, TheRealMephisto ha scritto:

…

I use arch and sddm, and authentication via fingerprint works fine. All I had to do was adding "auth sufficient pam_fprintd.so" at the top of /etc/pam.d/system-auth as well as at the top of /etc/pam.d/system-local-login. On SDDM Login or Lock Screen, I simply press enter and scan my finger; In the console, I authenticate with my fingerprint as well. So to me, it seems as it already works on arch... — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#284 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA6jIaZka241gcCJmGwO9_r7Tg6a2mclks5rwy7zgaJpZM4CrZdn>.

[redtux]

@TheRealMephisto Are you using an encrypted home directory? I do, and using lightdm-gtk-greeter as you suggested obviously worked fine for PAM authentication, but lightdm still complained about my encrypted $HOME. Thus, additionally to my fingerprint the login prompt asked me for my user password. Any hints how to get rid of this?

[TheRealMephisto]

@redtux

I never suggested using lightdm-gtk-greeter, did I?

However, what do you use for encryption?
If there is a correspondig file in /etc/pam.d/, try adding "auth sufficient pam_fprintd.so" at the top.

[lkhphuc]

Sorry, not really related to sddm here fprint just didn't work on my Arch.
I newly installed from pacman, but when I run fprintd-enroll it just output

list_devices failed: Failed to activate service 'net.reactivated.Fprint': timed out

Fingerprint-gui setup is fine and working, but I cannot get it to work with sddm and lightdm, in the mean while fprint failed to work.

[tomchiverton]

It seems to suffice now (Kubuntu 16.10) to simply add
auth sufficient pam_fprintd.so
to the top of
/etc/pam.d/common-auth

[blackandcold]

Can confirm on latest Arch/Plasma that fprintd works like a charm!

[beojan]

While login does, strictly speaking, work with a fingerprint reader, it isn't possible to integrate it properly into the theme. The worst symptom of this is that if login fails three times, SDDM needs to be restarted from another VT.

[fusion809]

Tried this on KDE Neon, namely changing my /etc/pam.d/common-auth and /etc/pam.d/sddm per the @tomchiverton's comment and rebooting, then pressing Enter and swiping my fingerprint and nothing happened (i.e. I wasn't logged in). When my fingerprint reader is running and waiting for me to swipe my finger it lights up and it didn't light up. I had enrolled my fingers I wanted to login in with fingerprint-gui, in case you're wondering. I tried swiping my finger several times just in case it was being quiet about being wrong and my first attempt at swiping it was wrong and still no success.

[blackandcold]

@fusion809 Don't use fingerprint-gui, use fprintd.
it doesn't work with the gui thingy ;)
Why? idk

[fusion809]

OK so how do I do that? Like do I need to change what I add to /etc/pam.d/common-auth or sddm?

[blackandcold]

@fusion809 as @TheRealMephisto wrote:

I use arch and sddm, and authentication via fingerprint works fine.
All I had to do was adding "auth sufficient pam_fprintd.so"
at the top of /etc/pam.d/system-auth as well as at the top of /etc/pam.d/system-local-login.
On SDDM Login or Lock Screen, I simply press enter and scan my finger;
In the console, I authenticate with my fingerprint as well.

1. Remove fingerprint-gui
2. use the CLI interface of fprintd to enrole your fingers (if not already available after using the GUI) **
3. put "auth sufficient pam_fprintd.so" into /etc/pam.d/system-auth and /etc/pam.d/system-local-login
4. try and be happy!

** Arch wiki for fprintd https://wiki.archlinux.org/index.php/Fprint#Create_fingeprint_signature

[nicman23]

well i much be lucky, because fprint does not work with my sensor and fingerprint-gui -which does- does not work with sddm /s

[Soukyuu]

Pretty much in the same boat, fprintd does not recognize my fingerprint most of the time and apparently it needs some binary blobs to make it work reliably, which the devs don't want to use.